PEAP/MSCHAPv2 bounded to a particular MAC Address

Alan DeKok aland at deployingradius.com
Tue Jan 28 19:36:24 CET 2014


Marco Gaiarin wrote:
> [ Sorry, i'm not subscribed to that list, i will follow it on the web
>   interface but if you can, put me on CC. Thanks. ]

  You should make it easy for people to help you.  If you make it hard,
you will probably be ignored.

> Platform: debian squeeze, freeradius 2.1.10+dfsg-2+squeeze1.
> 
> Some year ago i've setup a (i think rather standard) freeradius config
> to handle PEAP/MSCHAPv2 authentication (also machine account one) for
> some portable system.
> I've also enabled some ''static'' account, for some guests, eg i can
> add in 'users' file something like that:
> 
> 	username1      User-Password := "password1", MS-CHAP-Use-NTLM-Auth := 0, Expiration := "Apr 29 2010 18:00:00"

  Well, that's wrong.  We've been recommending Cleartext-Password
instead of User-Password in for almost 10 years now.

> now i need to lock that ''static'' password to a particular MAC
> address. I've verified that my AP send 'Calling-Station-Id', and i've
> tried to (with some google help) something like that:
> 
> 	username1      User-Password := "password1", MS-CHAP-Use-NTLM-Auth := 0, Expiration := "Apr 29 2010 18:00:00", Calling-Station-Id == "c8b5b723ecd7"
> 
> or like that:
> 
> 	username1      User-Password := "password1", MS-CHAP-Use-NTLM-Auth := 0, Expiration := "Apr 29 2010 18:00:00", Huntgroup-Name == "ipm1"
> 
> having in 'huntgroups' a line like:
> 
> 	ipm1            Calling-Station-Id == c8b5b723ecd7	
> 
> But nothing works.

  See the FAQ for "it doesn't work".

  There's a reason it's in the FAQ (and README, "man" page, and daily on
this list).

  If you're not going to bother following the documentation, then it's
no surprise you can't get it to work.

  Alan DeKok.


More information about the Freeradius-Users mailing list